Home > Risk > Protiviti study on IT auditing raises more questions than it answers

Protiviti study on IT auditing raises more questions than it answers

There’s a new Protiviti study. Their 2011 IT Audit Benchmarking Survey summarizes the input from nearly 500 professionals and makes a number of observations.

Before getting into those observations, I have a couple of my own:

  1. The report talks about IT risks – but there is no such thing as an IT risk, only business risks due to a failure of technology. These days, talking separately (from business auditing) about IT audit and IT risks is somewhat ‘old-fashioned’. Companies are now talking more about business risk and the role of IT as both an enabler of solutions and a source of issues. The trend is towards building an audit plan that addresses those business risks and will probably have fewer pure IT audits as a result.
  2. Most of the issues raised in the report (such as the fact that auditors struggle to keep up with technology) are ages-old. I have been in the profession since 1980 and they were problems then!

Here are their “key trends and takeaways”, with my comments.

“The growth and prevalence of technology throughout most operations in a company are outpacing the assessment, management and monitoring of related IT risks.”

  • This has been the case since man discovered fire – and the risk of burns came later
  • The report did not address whether IT auditors are involved in change projects, whether these are major new ERP implementations, moving infrastructure or applications to the crowd, or the embracing of social media and mobile. Maybe that can be included in the next survey

“IT risks do not garner nearly enough attention in organizations today, and in small companies in particular.”

  • IT is a source of business risk, not a risk in-and-of-itself. The study, I think, should have considered whether the internal audit function was looking at business risks – and considering the IT impact as part of that activity
  • The Protiviti statement may or may not be correct. Intuitively, as an IT auditor since (it seems) the dawn of computing, I think it is probably correct. But, the level of resources allocated to IT issues should be commensurate with the level of risk and balanced against the need to address other sources of risk.
  • In smaller companies (especially), the auditor has to take on all aspects of risk – including IT-related issues. He may be supplemented with co-sourcing.

“A large percentage of companies are not  complying with IIA Standard 2110.A2, which requires the internal audit function (usually through IT audit) to assess whether the organization’s information technology governance sustains and supports its strategies and objectives.”

  • A large part of IT governance activities may be included as part of the audits of IT general controls (which the study shows is allocated a large level of resources).
  • Even though the Standards require this, a risk-based planning exercise may have identified this as a lower risk area – and it would have been appropriate, therefore, not to include it in the plan.
  • The main standard here, 2110, requires internal audit to assess governance processes in general. That is even more of a problem (fewer assess and report on more than a couple of governance processes) than IT governance.

“Many organizations do not have the requisite skills and capabilities to assess their key IT risks adequately.”

  • See above. There is no such thing as an IT risk, let alone a key IT risk. And, keeping up with technology is a problem for the ages.

“A surprisingly large number of organizations fail to conduct an annual IT risk assessment.”

  • Good! They should be assessing business risk and not IT risk.
  • Good! It should be a continuing and not an annual process.

“IT audit functions in North America invest significantly more time on compliance-related activities than these functions do in other regions of the world.”

  • That may or may not be OK. It all depends on where a business risk-based audit program says the resources should be spent.

What do you think? I would appreciate your comments.

  1. Roy
    October 8, 2011 at 12:42 AM

    You say there is no such thing as an IT risk only a business risk due to…
    Following your reasoning there is also no such thing as an operational risk, financial risk etc.
    In my opinion, the term IT risk is just for categorization purposes.
    I don’t mind whether people use the term IT risk as long as we get the full picture during a risk assessment.

  2. Norman Marks
    October 8, 2011 at 8:37 AM

    Roy, fair comment. I should have explained myself better.

    If you take something like the possibility that the data center is closed down due to a flood. The risk (from my perspective – and that of ISACA in RiskIT) is not the closure itself, but the effect on the business: inability to bill customers, to close the financial books, etc.

    So the risk I worry about is that we are unable to bill customers, impacting revenue and cash flow, as a result of the closure of the data center.

  3. Jeff
    October 8, 2011 at 9:42 AM

    I like the thought process here. Business risk is what needs to be assessed. It can be termed operational risk or IT risk but the point is that there needs to be a holistic approach to the assessment of risk. This is not limited to IT, or operations, or finance, or sales, it is what is the impact on our otganization and who should address it.

    We cannot limit our assessment of risk by departmental categories.

  4. Thu Ly
    October 10, 2011 at 7:05 AM

    I tend to agree with Roy and Norman. Category does not matter, risk owner is matter at the end ragardless we call IT risk or Operational risk. But we need to know exactly who is risk owner to manage and mitigate risk.

  5. Justin
    October 18, 2011 at 5:05 PM

    If there is no such thing as an IT Risk then why do we need IT Auditors?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: